How to enable Captive portal more than one interfaces?

Home Page Forums Network Management ZeroShell How to enable Captive portal more than one interfaces?

This topic contains 14 replies, has 0 voices, and was last updated by  hminkoong 9 years, 3 months ago.

Viewing 15 posts - 1 through 15 (of 16 total)
  • Author
    Posts
  • #41726

    hminkoong
    Member

    Are there any one know how How to enable Captive portal with more than one interface?

    For Example:

    I want to enable Captive portal on ETH00(192.168.1.0/24) and ETH01 (192.168.2.0/24).

    Is it possible?

    #48258

    What is the purpose of approaching the captive portal in that way?

    #48259

    hminkoong
    Member

    I want to create 3 different SSID with different network i.e. one for “Guest”(192.168.2.0/24) , one for “Training” (192.168.3.0/24),
    and the other for “Staff” (192.168.4.0/24) for the security reason.
    Moreover i want these network use Captive portal Authentication.

    Is that possible?
    Do you have any suggestion?

    #48260

    You can use interface bridging to accomplish what you’re saying although I believe bridging has it’s inherent security holes. The best way to accomplish what you want would be through the use of vlans with default gateways multi-homed on your captive portal interface. Zeroshell also has vlan features that you can enable on the user creation page with 802.1x.
    I’m guessing since you didn’t try implementing this first that you probably don’t have a lot of experience with vlans. Esssentially a single ssid and multiple vlans for Guest, Staff, Training.

    #48261

    hminkoong
    Member

    I understand your suggestion . However i also want zeroshell assign dynamice ip address to each vlans. That ‘s why i have to create 3 VLans on ETH00 instead of creating 3 virtual IP address (Multi Homed) on ETH00 (Native Vlan)

    My requirement:
    I want zeroshell enable capitive portal on 3 vlans and assign dynamic ip address to each vlans (i.e. Guest, Training,staff,etc..)

    My network layout:

    My zeroshell interface configuration(Eth00):

    Zeroshell can assign dynamic IP Address on each vlans

    Problem: Zeroshell allow enable Captive only one Vlan:

    Are there any ideas how to enable captive portal listen on more than one subnet ?

    #48262

    giancagianca
    Member

    Standard ZS captive portal can handle only one interface.

    You can try (not tested) to add rule to firewall Chain CapPort from console.
    Normally is

    Chain CapPort (1 references)
    pkts bytes target prot opt in out source destination
    44M 23G CapPortACL all — ETH01 * 0.0.0.0/0 0.0.0.0/0

    ETH01 is interface in my configuration

    you can try to add other rules for your interface.

    If not work you can modify script that autorize user.

    /root/kerbynet.cgi/scripts/cp_authorize_client

    this script change firewall chain when one user login or logout.

    If I remember correctly interface appear only in chain CapPort

    bye.

    #48263

    hminkoong
    Member

    Thanks a lot giancagianca.
    I will try and tell you the results.

    #48264

    I’m still unsure what your hardware switch capabilities are so since it’s really getting specific to your needs i’ll send you a pm.

    #48265

    giancagianca
    Member

    Today I looked at the script. Captive portal is enabled in /root/kerbynet.cgi/scripts/cp_start

    if [ “$MODE” == Bridged ] ; then
    iptables -A CapPort -m physdev –physdev-in $INTERFACE -j CapPortACL
    iptables -t nat -A CapPort -m physdev –physdev-in $INTERFACE -p tcp –dport 80 -j CapPortHTTP
    iptables -t nat -A CapPort -m physdev –physdev-in $INTERFACE -p tcp –dport 443 -j CapPortHTTPS
    ## iptables -t nat -A CapPort -m physdev –physdev-in $INTERFACE -p tcp –dport $GWPORT -j CapPortGW
    ## iptables -t nat -A CapPort -m physdev –physdev-in $INTERFACE -p tcp –dport $GWPORTSSL -j CapPortGW
    iptables -t nat -A CapPort -m physdev –physdev-in $INTERFACE -p tcp –dport $REMOTEPT -j CapPortGW
    iptables -t nat -A CapPort -m physdev –physdev-in $INTERFACE -p tcp –dport $REMOTESSL -j CapPortGW
    else
    iptables -A CapPort -i $INTERFACE -j CapPortACL
    iptables -t nat -A CapPort -i $INTERFACE -p tcp –dport 80 -j CapPortHTTP
    iptables -t nat -A CapPort -i $INTERFACE -p tcp –dport 443 -j CapPortHTTPS
    ## iptables -t nat -A CapPort -i $INTERFACE -p tcp –dport $GWPORT -j CapPortGW
    ## iptables -t nat -A CapPort -i $INTERFACE -p tcp –dport $GWPORTSSL -j CapPortGW
    iptables -t nat -A CapPort -i $INTERFACE -p tcp –dport $REMOTEPT -j CapPortGW
    iptables -t nat -A CapPort -i $INTERFACE -p tcp –dport $REMOTESSL -j CapPortGW
    fi
    if [ “$WEBLOGIN” == Remote ] ; then
    iptables -A CapPortACL -d $REMOTEIP -p tcp –dport $REMOTEPT -j ACCEPT
    iptables -A CapPortACL -d $REMOTEIP -p tcp –dport $REMOTESSL -j ACCEPT
    fi

    INTERFACE is selection in web configuration.

    You can add new section witch enable captive portal on other interface.

    If you want to make permanent changes http://www.zeroshell.net/forum/viewtopic.php?t=382

    bye

    #48266

    hminkoong
    Member

    Thank you so much guys..
    Anyway i will tell you the result. After i try…

    #48267

    hminkoong
    Member

    I added the new section for another Interface.
    Unfortunately It doesn’t work… 🙁
    I think this ‘s just one script and possible other scripts need to be modified.
    Anyway thanks for your advice

    #48268

    giancagianca
    Member

    you must change only cp_start.

    example.

    iptables -A CapPort -i ETH02 -j CapPortACL
    iptables -t nat -A CapPort -i ETH02 -p tcp –dport 80 -j CapPortHTTP
    iptables -t nat -A CapPort -i ETH02 -p tcp –dport 443 -j CapPortHTTPS
    iptables -t nat -A CapPort -i ETH02 -p tcp –dport $REMOTEPT -j CapPortGW
    iptables -t nat -A CapPort -i ETH02 -p tcp –dport $REMOTESSL -j CapPortGW

    insert this line ar bottom of cp_start

    iptables -I SYS_INPUT 3 -i ETH02 -p tcp –dport 12080:12083 -j ACCEPT

    for enable ETH02
    for another interface change 3 with 4.
    first interface (ETH01) is enable from web interface.

    In web interface you must select for Client Identity only ip address.

    I cannot test with vlan but with i think that work.

    work only in routed mode.

    After change restart captive portal.

    In my test ETH00 public IP ETH01-ETH02 captured

    bye

    #48269

    hminkoong
    Member

    Thank you so much giancagianca
    It’s work …. 😀

    #48270

    paxvor
    Member

    is there a way for captive portal to allow some free destinations like IP address or domain ?

    thnks

    #48271

    paxvor
    Member

    i got it after tweaking around … 🙂
    its not pretty but it works ( at least for me ) 🙂

    just add the folowing to post boot script

    iptables -A CapPortFS -d IP_destination -j ACCEPT

    iptables -t nat -I CapPortGW 1 -d IP_destination -j ACCEPT

    iptables -t nat -I CapPortHTTPS 1 -d IP_destination -j ACCEPT

    iptables -t nat -I CapPortHTTP 1 -d IP_destination -j ACCEPT

    and then restart

    thnks for this superb firewall ..

Viewing 15 posts - 1 through 15 (of 16 total)

You must be logged in to reply to this topic.